CVE-2022-22969

moderate-risk
Published 2022-04-21

<Issue Description> Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session. This vulnerability exposes OAuth 2.0 Client applications only.

Do I need to act?

-
0.51% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10 Medium
NETWORK / LOW complexity

Affected Products (2)

Communications Design Studio

Affected Vendors

Oracle Pivotal

References (4)

Vendor Advisory https://tanzu.vmware.com/security/cve-2022-22969
Patch https://www.oracle.com/security-alerts/cpujul2022.html
Vendor Advisory https://tanzu.vmware.com/security/cve-2022-22969
Patch https://www.oracle.com/security-alerts/cpujul2022.html
33
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 2/34 · Minimal
Exposure 7/34 · Low